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EXECUTIVE  SUMMARY 


hitroduction.  The  Army  Supply  Management  business  area  of  the  Defense  Business 
Operations  Fund  manages  inventories  held  for  sale  valued  at  $13.4  billion.  The 
Standard  Army  Intermediate  Level  Supply  (SAILS)  system  is  an  automated  system  used 
to  manage  about  $2.2  billion  of  the  $13.4  billion.  Ano&er  automated  system,  the 
Standard  Army  Financial  Inventory  Accounting  and  Reporting  System  (STARFI^S), 
is  used  by  the  Defense  Finance  and  Accounting  Service  to  generate  financial  statements 
from  transactions  captured  by  the  SAILS  system. 

Objectives.  The  primary  objective  of  the  audit  was  to  assess  selected  elements  of  the 
Application  Change  Testing  and  Evaluation  program  for  the  SAILS  system  and  that 
program’s  interface  with  the  STARFIARS  financial  information  system.  The 
secondary  objective  was  to  assess  related  internal  controls. 

Audit  Results.  The  audit  identified  a  need  for  improvements  in  reconciliations  of 
inventory  balances,  management  of  in-transit  inventories,  and  computer  security. 

0  On-hand  retail  inventory  balances  maintained  by  the  SAILS  system  were  not 
being  reconciled  with  the  general  ledger  on-hand  inventory  balances  maintained  by 
STARFIARS.  That  lack  of  reconcSiation  resulted  in  a  $75.3  million  inventory 
imbalance  between  the  two  systems  (Finding  A). 

0  Visibility  was  not  maintained  over  in-transit  inventories  valued  at 
$141.1  million,  and  manual  controls  designed  to  minimize  in-transit  inventories  were 
ineffective.  Sixty-one  percent  of  those  inventories  had  been  in-transit  for  over  90  days. 
Inefrective  controls  over  in-transit  inventory  reduced  the  availability  of  Defense 
Business  Operations  (DBOF)  funds  and  may  also  result  in  erroneous  financial 
statements  (Finding  B). 

o  Controls  over  access  to  the  SAILS  system  and  STARFIARS  software  were 
inadequate.  A  Tenninal  Area  Security  Officer  had  not  been  appointed  at  the  SAILS 
system's  central  design  activity,  and  documentation  for  STARFIARS  software  testing 
was  unavailable,  .^n  edit  program  for  the  SAILS  system  needed  to  be  updated  to 
reflert  changes  in  the  software.  Weak  controls  over  system  access  and  computer 
security  personnel  can  expose  the  computer  system  to  abuse  and  manipulation 
(Finding  C). 

Internal  Controls.  The  audit  identified  material  internal  control  weaknesses.  Controls 
were  not  adequate  to  safeguard  in-transit  inventory  items  or  critical  conq}uter  software 
and  data.  Partn  addresses  those  weaknesses.  As  part  of  our  audit,  we  assessed 
management's  implementation  of  the  DoD  Internal  Management  Control  Program. 
Part  I  discusses  the  details  of  that  program  and  the  internal  controls  assessed. 
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P^ntial  Benefits  of  Audit.  We  could  not  quantify  the  potential  monetary  benefits  of 
this  audit.  However,  implementing  our  recommendations  will  improve  reporting  for 
financial  statements,  controls  over  critical  software,  and  prevention  of  unauthorized 
access  and  changes  to  that  software.  See  Appendix  B  for  details. 

Summary  of  Recommendations.  We  made  recommendations  to  bring  about 
inq>rovements  in  reconciliations  between  the  SAILS  system  and  STARFIARS, 
management  of  in-transit  inventory  items,  and  security  over  key  data  files;  to  appoint  a 
Terminal  Area  Security  Officer  at  the  SAILS  system's  central  design  activity;  and  to 
provide  additional  training  for  the  Information  Systems  Security  Officer. 

Management  Comments.  We  received  comments  from  the  Deputy  Chief  of  Staff  for 
Logistics,  Department  of  the  Army;  the  Deputy  Directw  for  Business  Funds,  Defense 
Finance  and  Accounting  Service;  and  the  Commander,  U.S.  Army  Information 
Systems  Software  Development  Center  -  Washington.  Management  generally  agreed 
with  our  recommendations.  See  Part  II  for  a  full  discussion  of  management's 
comments  and  Part  IV  for  the  complete  text  of  those  comments.  Additional  comments 
are  requested  from  the  Director,  Defense  Finance  and  Accounting  Service;  Deputy 
Chief  of  Staff  for  Logistics,  Department  of  the  Army;  and  foe  Commander,  Software 
Development  Center  -  Washington,  Department  of  foe  Army.  Those  comments  should 
be  provided  by  January  6,  1995. 
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Introduction 


Background 


The  Anny  Supply  Management  business  area  of  the  Defense  Business 
Operations  Fund  (DBOF)  manages  inventories  held  for  sale  valued  at 
$13.4  billion.  The  Standard  Army  Intermediate  Level  Supply  (SAILS)  system 
is  an  automated  system  used  to  manage  retail  inventories  valued  at  about 
$2.2  billion  of  the  $13.4  billion.  The  remaining  $11.2  billion  in  inventories  is 
managed  by  a  number  of  other  systems  throughout  the  Army.  Arother 
automated  system,  the  Standard  Amy  Financial  Inventory  Accounting  and 
R^rtii^  System  (STARFIARS),  is  used  by  the  Defense  Finance  and 
Accounting  Service  (DFAS)  to  generate  BnancM  statements  from  transactions 
captured  by  the  SAILS  system. 

The  DBOF  Army  Supply  Management  business  area  consists  of  eight  retail 
divisions  and  one  wholesale  division  under  the  Deputy  Chief  of  Staff  for 
Logistics,  D^artment  of  tlw  Army,  and  sells  inventories  to  Army  components 
on  a  cost-reimbursable  basis.  Seven  of  the  retail  divisions  are  organized  by 
command,  and  one  is  organized  by  function.  The  retail  supply  divisions  of  the 
Army  Supply  Management  business  area  are  the  U.S.  Army  Forces  Command; 
U.S.  Army,  Europe;  U.S.  Army  Training  and  Doctrine  Command;  U.S.  Army, 
Pacific;  Eighth  U.S.  Army,  Korea;  U.S.  Army  Southern  Command;  U.S. 
Army  Materiel  Command;  and  Defense  Supply  Service  -  Washington.  Figure  1 
shows  the  value  of  the  inventories  managed  by  the  eight  retail  divisions. 
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Figure  1.  Inventories  Managed  by  the  Eight  Army  Retail  Siqjpfy  Management 
Divisions 


The  SAILS  system  performs  logistical  ordering,  supply,  and  inventory 
management  for  the  Arne's  retail  supply  activities.  The  SAILS  system  is  used 
at  55  Army  locations  worldwide  to  manage  inventories  of  repair  parts,  industrial 
supplies,  general  supplies,  ground  support  supplies,  clothing,  packaged 
petroleum  (for  exmple,  containers  of  motor  oil),  and  buDc  petroleum.  The 
system  acts  as  a  middleman,  ordering  stqiplies  from  the  depot  level  to  replenish 
retail-level  warehouse  stock.  The  S^JLS  system  also  maintains  inventory 
records  and  processes  retail-level  transactions  into  the  Army's  financial 
information  systems.  The  SAILS  system  was  developed  in  1971  and  consists 
of  about  500,(X)0  lines  of  Common  Business  Oriented  Lan^ge  (COBOL) 
code.  The  U.S.  Amy  Information  Systems  Software  Develtmment  Center  - 
Lee,  Fort  Lee,  Virginia,  is  the  central  design  activity  for  the  SAuJS  system. 

STARFIARS  ^rforms  the  financial  accounting  and  reporting  ftinctions  at  most 
Army  installations  worldwide.  STARFIARS  uses  transactions  captured  by  the 
SAILS  system  and  applies  them  to  a  general  ledger  maintained  by  STARFIARS. 
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STARFIARS  processes  about  40  million  inventory  transactions  each  month  at 
65  Army  installations.  STARFIARS  was  designed  as  a  module  of  the  SAILS 
system,  but  became  a  separate  system  in  1973.  STARFIARS  consists  of  about 
200,000  lines  of  COBOL  code.  The  DFAS  Indianapolis  Center  is  the  central 
design  activity  for  STARFIARS.  Figure  2  shows  the  interrelationships  among 
the  SAILS  system,  STARFIARS,  and  the  Army's  Standard  Finance  System. 
The  Standard  Finance  System  processes  disbursements  and  collections  for  the 
Army  Supply  Management  business  area. 


Figure  2.  Processing  Procedures  for  Army  Retail  Inventory 

Public  Law  102-190,  the  "Chief  Financial  Officers  Act  of  1990,"  requires  DoD 
to  prepare  and  audit,  on  an  annual  basis,  financial  statements  for  funds  such  as 
the  DBOF  and  its  components.  The  goals  of  the  Act  are  to  improve  the 
effectiveness  of  the  Federal  Government's  general  and  financial  management 
practices;  to  improve  accounting,  financial  management,  and  internal  control 
systems;  and  to  provide  reliable,  timely,  and  consistent  financial  information  for 
use  in  the  financing,  management,  and  evaluation  of  Federal  programs.  Both 
the  SAILS  system  and  STARFIARS  must  produce  accurate  and  reliable 
financial  information  for  the  Army  Supply  Management  business  area  and  the 
overall  DBOF  financial  statements. 
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The  Army  and  DFAS  are  gradually  replacing  the  SAILS  system  and 
STARFIARS  with  new  systems.  The  U.S.  Army  Information  Systems  Software 
Development  Center  -  Lee  was  developing  a  system  called  the  Standard  Army 
Retail  Supply  System  (SARSS)  to  replace  existing  wholesale  and  ret^  inventory 
systems.  SARSS  is  still  in  the  development  phase;  however,  its  SARSS- 
Objective  module,  which  was  designed  to  replace  the  SAILS  system,  has  been 
implemented  at  Fort  Bragg,  North  Carolina;  Fort  Stewart,  South  Carolma;  and 
U.S.  Army  installations  in  the  Panama  Canal  Zone.  Those  sites,  however, 
continue  to  use  the  SAILS  system  on  a  parallel  basis.  SARSS-Objective  is 
targeted  for  Army-wide  implementation  by  FY  1999. 

The  DFAS  Indianapolis  Center  was  also  developing  a  new  system, 
STARFIARS-Modemization,  to  replace  STARHARS.  The  new  system  was 
written  in  the  Ada  programming  language  and  used  a  database  interface.  A^  is 
a  programming  language  that  was  designed  by  DoD  to  improve  the  reliability, 
portability,  and  maintainability  of  software,  while  reducing  a  system's  life-cycle 
costs. 

At  the  time  of  our  audit,  the  DFAS  Indianapolis  Center  was  testing  software 
acceptance  at  Fort  Knox,  Kentucky.  About  $1.9  million  was  budgeted  for  the 
development  of  STARFIARS-Modemization. 

The  U.S.  Army  Strategic  Logistics  Agency,  Alexandria,  Virginia,  was  ^ 
developing  another  system,  the  Single  Stock  Fund  Initiative,  as  a  possible 
alternative  to  STARFIARS-Modemization.  The  Single  Stock  Fund  Initiative 
atten^ts  to  combine  logistics  and  ftnancial  functions  and  provide  direct 
interaction  between  retail  and  wholesale  functions.  At  the  time  of  pur  audit,  the 
Army  was  implementing  and  testing  the  Single  Stock  Fund  Initiative  at  Fort 
Hood,  Texas,  l^velopment  costs  were  about  $13.4  million. 

We  did  not  review  STARFIARS-Modemization  or  the  Single  Stock  Fi^ 
Initiative.  The  DBOF  Corporate  Board  has  formed  a  committee  to  determine 
whether  one  of  those  two  systems  or  another  system  will  be  selected  as  the 
migratory  system  for  DoD-wide  financial  reporting.  The  committee  plans  to 
complete  its  recommendations  to  the  DBOF  Corporate  Board  by  November  10, 
1994. 


Objectives 


The  original  objectives  of  the  audit  were  to  assess  the  completeness,  accuracy, 
and  reliability  of  the  SAILS  system;  to  determine  whether  the  system  satisfies 
General  Accotmting  Office  (GAO)  requirements  and  DoD  starulards;  and  to 
assess  internal  controls  over  the  system.  On  March  2,  1994,  we  modified  the 
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Application  Change  Testing  and  Evaluation  program  for  the  SAILS  system,  and 
the  program's  interface  with  financial  information  systems  such  as 
STARFIARS.  An  plication  change,  testing,  and  evaluation  program  includes 
the  policies,  procedures,  and  processes  that  an  organization  uses  to  modify 
application  and  interface  software,  including  the  testing  and  evaluation  of  the 
modifications. 

Our  secondary  objective  was  to  assess  related  internal  controls. 


Scope  and  Methodology 


Time  Period,  Standards,  and  Locaticms.  We  performed  this  financial-related 
audit  from  July  1993  through  April  1994  in  support  of  audits  of  the  FY  1993 
DBOF  financial  statements.  We  evaluated  selected  management  controls  to 
determine  whether  software  change  controls  at  the  SAILS  system  and 
STARFIARS  central  design  activities  were  adequate  to  ensure  the  reliability  of 
computer-processed  data  generated  by  the  systems.  We  also  analyzed  data  from 
the  SAILS  system's  operational  sites  to  determine  whether  management  was 
complying  with  key  requirements  of  the  SABW  system’s  operation^  criteria, 
and  to  measure  weaknesses  in  compliance  widi  diose  criteria.  Finally,  we 
reviewed  security  policies  and  access  to  the  systems,  programs,  and  data. 

This  audit  focused  on  software  development  at  the  central  design  activities  for 
both  the  SAILS  system  and  STARFIARS.  We  obtained  information  on  the 
2  systems  and  made  data  calls  and  site  visits  at  42  of  the  65  STARFIARS 
operational  sites.  Appendix  C  lists  the  organizations  we  visited^  or  contacted. 
The  audit  was  made  in  accordance  with  auditing  standards  issued  by  the 
Conqitroller  General  of  the  United  States  as  implemented  by  the  Inspector 
General,  DoD.  We  did  not  use  statistical  sampling  procedures  to  conduct  this 
audit. 

Cmnputer-Processed  Data.  We  relied  on  data  generated  by  the  SAILS  system 
and  STARFIARS.  Although  we  identified  weaknwses  that  affected  the 
reliability  of  the  computer-processed  data,  we  determined  that  the  data  were 
sufficiently  reliable  to  su^Jort  our  audit  conclusions.  To  test  the  reliability  of 
data,  we  reviewed  selected  general  and  application  controls  of  the  SAILS  system 
and  STARFIARS. 
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Internal  Controls 


Controls  Assessed.  We  reviewed  internal  controls  over  the  interface  between 
the  SAILS  system  and  STARFIARS;  inventories  that  had  been  in-transit  for 
excessive  periods;  and  selected  general  and  application  controls  over  the  SAILS 
system  and  STARFIARS,  including  controls  over  application  software, 
computer  security,  and  edit  routines.  Office  of  Management  and  Budget  (0MB) 
Circular  No.  A-123  requires  each  Federal  agency  to  establish  a  program  to 
identify  signiftcant  imemal  control  weaknesses.  The  Department  of  the  Army 
and  DFAS  had  performed  the  reviews  required  by  DoD  Directive  5010.38, 
"Internal  Management  Control  Program,"  April  14,  1987. 

DFAS  Statwwnt  of  Assurance.  The  DFAS  Annual  Statement  of 
Assurance  for  FY 1993  reported  31  uncorrected  material  internal  control 
weaknesses  in  the  DBOF  accounting  system.  The  following  weaknesses  were 
relevant  to  our  audit: 

0  Computer  security  weaknesses  at  the  DFAS  Indianapolis 
Center  included  a  lack  of  controls  over  operating  system  software  and  the 
distribution  of  source  code,  and  a  lack  of  con^ency  resources.  We  also 
identified  problems  with  computer  security;  see  Finding  C. 

o  Staffing  shortages  in  the  DFAS  Indianapolis  Center's  quality 
assurance  program  had  inqiaired  that  Cemer's  ability  to  evaluate  proc^ural 
effectiveness  and  internal  controls. 

Statement  of  Assurance  from  the  U.S.  Army  Infwmation  System 
Software  Development  Center  -  Lee.  The  FY  1993  Annual  Statement  of 
Assurance  for  die  U.S.  Army  Information  Systems  Software  Development 
Center  -  Lee  identified  one  material  weakness.  The  Software  Developme^ 
Center  was  not  complying  with  regulatory  guidance  for  testing  toe  Army's 
juitnmatinn  software  under  development.  'Die  U.S.  Army  Information  Systeim 
Engineering  Command's  Imemal  Review  Office  had  identified  toe  weakness  in 
1992,  and  had  recommended  a  number  of  corrective  actions.  At  the  time  of  our 
review,  all  corrective  actions  had  been  taken. 

Material  internal  C(Mitr<ri  Weaknesses  Identified.  The  ^  audit  identified 
material  internal  control  weaknesses  as  defined  by  DoD  Directive  5010.38. 
Controls  were  in  place,  but  were  not  in^emented  effectively.  Specifically,  the 
Army's  implementation  of  internal  management  controls  did  not  effectively 
safeguard  in-transit  assets  against  waste,  loss,  unauthorized  use,  and 
misappropriation  (Finding  B).  Management  controls  over  computer  security 
were  not  adequate  to  prevent  unauthorized  tampering  with  critical  management 
so^are  and  data  (Finding  C).  Recommendations  B.I.,  C.I.,  C.2.,  and  C.3. 
in  this  report,  if  implemented,  will  correct  toe  weaknesses.  A  copy  of  toe  final 
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report  will  be  provided  to  the  senior  officials  responsible  for  internal  controls  in 
the  Department  of  the  Army  and  DFAS. 

Benefits  of  Audit.  We  could  not  quantify  the  potential  monetary  benefits  that 
will  result  from  correcting  the  material  internal  control  weaknesses.  Other 
benefits  are  explained  in  Appendix  B,  "Summary  of  Potential  Benefits  Resulting 
From  Audit." 


Prior  Audits  and  Other  Reviews 

Two  GAO  audit  reports  and  one  Army  Audit  Agency  rqwrt  identified 
reportable  conditions  similar  to  those  we  identified.  All  of  the  reports  indicated 
that  problems  exist  in  financial  and  inventory  management. 

GAO  Reports.  GAO  Report  No.  GAO/AIMD-94-12  (OSD  Case  No.  9276-D), 
"Financial  Management:  Strong  Leadership  Needed  to  Improve  Army's 
Financial  Accountability,"  December  1993,  stated  that  weak  data  processing 
controls  place  financial  systems  data  at  risk.  The  GAO  recommeirfed  that  the 
Assistant  Secretary  of  Defense  (Comnmd,  Control,  Communiwtions  pd 
Intelligence)  issue  detailed  procedures  or  implement  existing  security  policies. 
DoD  concurred  with  the  recommendation. 

GAO  Report  No.  GAO/NSIAD-90-53  (OSD  Case  No.  8159),  "Army 
Inventory:  A  Single  Supply  System  Would  Enhance  Inventory  Management  and 
Readiness,"  January  1990,  stated  that  the  Army  had  problems  with 
redistributing  excess  inventory  from  the  retail  to  the  wholesale  system,  and  that 
Army  commands  did  not  always  report  excess  inventory.  The  GAO 
recommended  that  the  Army  establish  a  single  supply  system  and  make 
inventory  data  available  throughout  that  system,  and  that  item  managers  be 
authorized  to  redistribute  inventory.  DoD  concurred  with  all  recommendations. 

Army  Audit  Agency  Report.  The  Army  Audit  Agency  (AAA)  issued  Report 
No.  NR  94-470,  "Defense  Business  Operations  Fund  Army  FY  1993  Fmancial 
Statements,"  on  June  30,  1994.  Because  the  balances  in  Inventories  Held  for 
Sale,  Net,  did  not  include  inventory  located  at  retail  activities  and  included 
some  inventory  items  that  were  not  part  of  the  DBOF,  the  AAA  issued  a 
disclaimer  of  opinion  on  the  financial  statements.  Weaknesses  included  the 
following. 

0  Because  wholesale  activities  had  not  coirectly  recorded  the  receipts 
for  inventory  in-transit  from  procurement,  the  validity  of  those  amounts  could 
not  be  ensured. 
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0  Because  insufficient  research  was  conducted  on  rejected  transactions, 
accurate  balances  for  inventory  on  hand  could  not  be  assured. 

0  Wholesale  and  retail  activities  adjusted  financial  records  to  match 
logistical  records  without  researchmg  imbalances  to  identify  the  causes. 

o  Weaknesses  existed  in  internal  controls  over  materials  retunpi  for 
credit,  separation  of  duties,  and  audit  trails  for  about  $1.6  billion  in 
disbursements. 

The  AAA  reviewed  wholesale  inventory  and  its  operations;  however,  the 
problems  with  wholesale  inventories  in^transit  are  similar  to  the  problems  we 
identified  with  retail  inventories  in-transit.  See  Findmg  B  for  details. 
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Finding  A.  Reconciliation  of  Inventory 
Balances 

Unreconciled  net  differences  existed  between  inventory  balances 
maintained  by  the  Standard  Army  Intermediate  Level  Supply  (SAILS) 
system  and  the  Standard  Army  Financial  Inventory  Accounting  and 
Reporting  System  (STARFIARS).  The  differeiices  totaled 
$75.3  million,  and  the  gross  amount  of  errors  was  $135  million.  Those 
conditions  occurred  because  38  (91  percent)  of  the  42  Defense 
Accounting  Offices  (DAOs)  we  reviewed  were  not  performing  the 
required  reconciliations  between  the  two  systems.  As  a  result,  t^ 
imbalances  materially  affected  the  accuracy  of  management  and  financial 
reports  at  the  retail  inventory  level. 


Background 


Because  the  SAILS  system  and  STARFIARS  maintain  separate  master  files  that 
are  not  integrated,  manual  reconciliations  must  be  done  monthly. 
Reconciliations  are  needed  both  to  balance  the  on-hand  retail  inventory 
maintained  by  the  SAILS  system  with  the  inventory  in  the  general  ledger,  and  to 
ensure  that  both  systems  show  accurate  balances.  To  aid  in  reconciling  the 
two  systems,  STARFIARS  produces  two  monthly  reports: 

o  Report  No.  ALF-42A,  "ABF  [Availability  Balance  File]  Price 
Extension  and  Reconciliation  GL  [General  Ledger]  Error  List,"  which  identifies 
all  open  inventory  items  that  have  negative  on-hand  balances;  and 

o  Report  No.  ALF-42B,  "ABF  Price  Extension  and  Reconciliation," 
which  shows  differences  between  the  SAILS  system  and  STARFIARS  balances 
and  the  categories  of  materiel  for  those  differences. 

Army  Technical  Manual  38-C08-1-1,  "Standard  Army  Financial  Inventory 
Accounting  and  Reporting  Systems,  Financial  Management  Function," 
April  1989,  gives  the  procures  for  manual  reconciliations.  The  technical 
manual  states  that  logistics  and  accounting  personnel  must  work  together  to 
reconcile  the  two  systems  and  that  the  DAO  at  each  supply  installation  has 
overall  responsibility  for  the  monthly  reconciliations. 
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ReconcOiations 


To  test  the  reconciliation  process,  we  asked  DAOs  suppoitii^  the  Army's 
supply  installatitMis  to  provide  us  with  copies  of  the  reconciliation  reports  for 
September  30,  1993.  We  received  responses  from  DAOs  at  42  of  the 
65  STARFIARS  sites  surveyed.  We  then  summarized  the  differences  between 
the  SAILS  system  and  STARFIARS.  As  shown  in  Appendix  A,  seve^ 
installations  had  large  differences  in  on-hand  inventory  balances  between  the 
two  systems.  For  exan^le,  the  SAILS  system  showed  an  on-hand  balance  of 
$20.7  million  for  the  5th  Corps  Finance  Group,  Germany,  while  ST^IARS 
showed  an  on-hand  balance  of  $4.4  million,  a  difference  of  $16.3  million.  At 
Fort  Stewart,  Georgia,  the  difference  between  the  two  systems  was 
$10.0  million,  and  at  the  75th  Theater  Finance  Command,  Korea,  the  difference 
was  $19.4  million. 

We  visited  or  contacted  six  installations  to  discuss  the  reconciliation  process 
with  employees  in  the  DAOs  who  processed  the  ALF-42B  reconciliation 
reports.  We  also  spoke  with  employees  in  the  Directorate^ of  Logistics  ^ 
six  installations  and  tbe  DFAS  Indianapolis  Center.  The  activities  we  contacted 
were  not  performing  reconciliations  bemuse; 

o  budget  cuts  had  reduced  staff, 

o  en^loyees  in  the  logistics  offices  lacked  experience  because  of  early 
retirements  and  reductions  in  force,  and 

0  employees  at  die  DAOs  and  in  the  DFAS  Indianapolis  Center's 
Directorate  of  Logistics  did  not  have  the  technical  proficiency  needed  to  identify 
problems  with  the  SAILS  system  and  STARFIARS. 

Such  unreconciled  differences  result  in  inaccurate  information  being  provided  to 
decisionmakers.  Also,  if  the  differences  between  the  two  systems  are  material, 
they  should  be  disclosed  in  the  footnotes  to  the  financial  statements  of  the  Army 
Supply  Management  business  area. 


Conclusion 


STARFIARS  and  SAILS  data  must  be  reconciled  to  ensure  the  accuracy  of  the 
two  systems  until  r^lacement  systems  eliminate  the  need  for  reconciliation. 
Material  discrepancies  between  the  two  systems  should  be  disclosed  in  a 
footnote  to  the  financial  statements  for  the  Army  DBOF  Sujqily  Management 
business  area. 
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Recommendatioiis,  Management  Comments,  and  Audit 
Response 


1.  We  reconunend  that  the  Director,  Defense  Finance  and  Accounting 
Service,  and  the  Deputy  Chief  of  Staff  for  Logistics,  Department  of  the 
Anny: 


a.  Resolve  the  inconsistencies  between  inventory  balances 
maintained  by  the  Standard  Army  Financial  Inventory  Account!^  and 
Reporting  System  and  the  Standard  Army  Intermediate  Levd  Supply 
system. 

(1)  Direct  the  Defense  Accounting  Offices  to  perform  the 
required  reconciliations. 

(2)  M(Hiitor  the  status  of  reconciliations  to  ensure  that  they 
are  performed  montUy. 

(3)  Train  employees  at  the  Defoise  Accounting  Offices  in  the 
most  efficient  methods  of  performing  reconciliations. 

b.  Use  int^ated  databases  for  the  replacement  lysteoM  for  the 
Standard  Army  Financial  Inventory  Accounting  and  Reporthig  System  and 
the  Standard  Army  fotonmediate  Level  Supply  system.  In  order  to  eliminate 
the  need  to  reconcile  inventory  balances  between  the  two  systems. 

DFAS  Concurred  in  Principle.  The  DFAS  Deputy  Director  for  Biwiness 
Funds  concurred  in  principle  widi  the  recommendation.  The  Deputy  Director 
stated  that  both  the  STARFIARS  and  the  SAILS  systems  were  old,  and  that 
STARFIARS  probably  will  not  be  selected  as  an  interim  migratory  system  to 
support  the  DBOF.  The  SAILS  system  is  a  logistics  management  system  and  is 
not  controlled  by  DFAS.  Resources  are  not  available  to  revise  nonintei^ 
migratory  financial  systems,  and  limited  personnel  resources  make  extensive 
manual  operations  cost-prohibitive.  The  selection  criteria  for  imerim  migratory 
systems  require  integrated  databases,  and  DFAS  is  working  to  ensure  the 
integration  of  its  interim  financial  systems  with  the  standard  logistics  system 
being  developed  by  the  Joint  Logistics  Systems  Center.  Fully  integrating  the 
standard  finance  and  logistics  systems  will  eliminate  the  need  to  reconcile 
inventory  and  financial  records.  DFAS  will  make  every  effort  to  minim^ 
imbalances  until  interim  migratory  systems  are  selected,  integrated  with  logistics 
systems,  and  implemented  at  DFAS  sites. 

Audit  Response  to  DFAS  Comments.  We  agree  that  selection  of  migratory 
systems,  with  integrated  databases  shared  by  accounting  and  logistics  personnel, 
would  eliminate  the  Med  for  manual  reconciliations.  In  the  interim,  however. 
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manual  reconciliations  between  the  SAILS  and  STARFIARS  ate  necessary  to 
ensure  that  financial  rep<ntmg  is  as  accurate  as  possible.  We  request  that  DFAS 
provide  revised  conunents  on  this  reconunendation,  givmg  a  specific  plan  of 
action  and  a  proposed  ccanpletion  date. 

Comments  from  the  Deputy  Chief  of  Staff  for  Logistics,  Department  of  ^ 
Army.  Management  stated  that  no  Army  response  was  necessary  for 
Recommendation  3.a.  In  response  to  Recommendation  3.b.,  the  Deputy  Chief 
of  Staff  stated  that  the  Army  will  not  have  an  integrated  system  to  replace  the 
present  systems;  however,  the  Army's  Total  Distribution  Plan  will  implement  or 
improve  the  interactive  relationships  between  combat  service  siqiport  systems. 

Audit  Response  to  Comments  from  Deputy  Chief  of  Staff  for  Logistics, 
Department  of  the  Army.  The  comments  from  the  Deputy  C^ef  of  Staff  for 
Logistics  were  nonresponsive.  We  recommended  that  the  Director,  Defense 
Finance  and  Accounting  Service,  and  the  Deputy  Chief  of  St^  for  Logistics 
resolve  the  inconsistencies  between  inventory  balances  maintained  by  the 
STARFIARS  and  the  SAILS  systems.  Although  the  Dqiuty  Chief  of  Staff  for 
Logistics  stated  that  no  response  was  required,  the  DeparUnent  of  the  Army 
should  work  with  the  Defense  Finance  and  Accounting  &rvice  to  resolve  these 
differences.  Interactive  relationships  between  systems  may  help  redi^ 
imhaianpi.g;  however,  this  solution  does  not  address  current  imbalances,  which 
could  affect  the  accuracy  of  the  Army  DBOF  Supply  Management  business 
area's  financial  statements. 

We  request  that  the  Deputy  Chief  of  Staff  for  Logistics,  Department  of  the 
Army,  reconsider  his  response  to  Recommendations  A.  1. a  and  A.l.b.  and 
provide  revised  comments  in  response  to  our  final  audit  report. 

2.  We  recommend  that  the  Director,  Defense  Finance  and  Accountii^ 
Service  Indianapolis  Center,  disclose  any  material  discrepandes  in 
inventory  balances  between  the  Standard  Army  Financial  Invwitory 
Accounting  and  Reporting  System  and  the  Standard  Amty  Intermediate 
Level  Supply  system  in  a  footnote  to  the  financial  statements  the  Defense 
Business  Operations  Fund  Army  Supply  Managonent  business  area. 

Comments  from  the  DFAS.  DFAS  concurred  in  principle  with  the 
recommendation,  statii^  that  the  systems  we  audited  ate  older  systems  and  are 
not  expected  to  become  an  interim  migratory  system  for  DBOF  support.  Based 
on  prior  audits,  a  number  of  systems  change  requests  have  been  initiated  to 
accumulate  data  in  financial  systems.  Competing  priorities,  however,  have 
prevented  the  completion  of  these  systems  change  requests.  Accimulating  and 
reporting  the  information  necessary  to  produce  ^tnotes  to  financial  statements 
would  require  adding  a  manual  function.  Also,  the  net  ag^egate  amount  of 
differences  between  mventory  balances  in  STARFIARS  and  the  SAILS  system 
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does  not  exceed  the  3-percent  threshold  in  the  GAO  audit  manual  for  disclosure 
of  material  discrepancies  in  footnotes. 

Audit  Response.  The  DFAS  comments  were  potentially  responsive  to  om 
recommendation.  In  response  to  the  final  report,  we  request  that  DFAS  provide 
supporting  information  for  their  assertion  that  materiality  thresholds  are  rwt 
exceeded.  We  are  concerned  that  the  net  aggregate  differences  ^tween  me 
systems  may  not  be  reflective  of  whemer  material  discrepancies  exist,  and  that 
reporting  of  me  gross  differences  may  be  required. 


l"GAO  Financial  Audit  Manual"  (GAO/AFMD-12.19.5A),  June  1992. 
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The  value  of  in-transit  inventories  was  overstated  and  includ^  inventory 
items  that  had  been  in-transit  since  1990.  About  $88  million  of  the 
$141.1  million  of  in-transit  inventories  had  been  in-transit  for  more  than 
90  days.  That  condition  was  caused  by  customers'  failure  to  promptly 
return  their  receipts  after  they  received  the  items  they  had  ordered,  and 
the  SAILS  system's  inability  to  provide  item  managers  with  sufficient 
information  to  promptly  research  and  resolve  in-transit  items.  As  a 
result,  the  Army  DBOF  Supply  Management  business  area  was  delayed 
in  receiving  reimbursements  for  in-transit  items,  and  overstated  the  value 
of  inventories  on  its  financial  statements. 

The  Army  is  working  to  improve  controls  over  in-transit  inventory 
items,  but  its  initiatives  will  t^e  time  to  develop.  Better  controls  are 
needed  in  the  interim. 


Background 


When  a  customer's  requisition  is  entered  into  the  SAILS  system,  the  system 
generates  DD  Form  1348-1,  "DoD  Single  Line  Item  Release/Receipt 
Document,"  for  use  as  a  receipting  document.  If  an  item  is  not  on  hand  at  the 
installation,  the  SAILS  system  also  generates  a  purchase  request  to  order  the 
item  from  an  Army  wholesale  depot  or  local  supplier,  l^en  the  purchase 
request  has  been  processed  at  the  wholesale  level  and  a  Material  Release  Order 
has  been  issued,  the  SAILS  system  is  notified  that  the  requested  item  has 
reached  shipping  status.  STARFIARS  may  then  pay  for  the  item  using  tte 
DBOF  appropriation,  or  may  wait  imtil  the  receipt  is  processed.  If  the  depot  is 
paid  before  the  customer  receives  the  item,  STARFIARS  places  the  inventory 
into  a  "paid-in-transit"  general  ledger  account. 

The  facility  or  location  where  the  inventory  items  are  received  determines  who 
is  responsibile  for  generating  the  receipt  and  forwarding  it  to  the  document 
control  and  files  section  of  the  supply  installation.  When  the  receipt  has  been 
processed  by  the  SAILS  system  and  recorded  in  STARFIARS,  the  inventory  is 
removed  from  Ae  paid-in-transit  general  ledger  account  and  placed  in  the  on- 
hand  inventory  account.  The  customer's  appropriation  is  charged  and  the 
DBOF  appropriation  is  reimbursed  only  after  the  receipt  is  processed. 
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Paid-in-Transit  Items 


As  of  September  30,  1993,  the  total  value  of  paid-in-transit  items  totaled 
$141.1  million  for  the  42  Army  retail  supply  activities  reviewed. 
Sixty-three  percent  of  the  dollar  value  of  paid-in-transit  items,  a  total  of 
$88  million,  was  more  than  90  days  old.  By  December  31,  1993,  the  value  of 
paid-in-transit  items  more  than  90  days  old  for  the  42  retail  supply  activities  had 
increased  to  $110.3  million.  Some  of  the  paid-in-transit  items  dated  back  to 
FY1990. 

Supply  item  managers  at  installations  told  us  that  the  primary  reason  for  tte 
accumulation  of  paid-in-transit  items  was  that  customers  failed  to  return  their 
receipts  promptly.  Managers  said  that  because  of  lunited  personnel  resources, 
they  could  not  conduct  adequate  research  to  determine  whether  the  paid-in¬ 
transit  items  had  actually  been  received.  We  believe  that  this  research  was  more 
difficult  because  the  SAILS  system  did  not  give  item  managers  basic 
information,  such  as  whether  the  item  had  actually  been  shipped  and  the  name 
of  the  carrier. 

Because  customers  generally  were  not  billed  until  they  acknowledged  receipt  of 
the  inventory  items,  the  old  paid-in-transit  items  unnecessarily  reduced  the  fluids 
available  to  the  DBOF.  Furthermore,  the  old  paid-in-traiwit  items  were  still 
shown  as  inventories  of  the  Army's  Supply  Management  business  area,  although 
they  may  have  been  shipped  to  customers.  Thus,  inventory  balances  on  the 
financial  statements  for  the  Army's  Supply  Management  business  area  may  have 
been  overstated  or  counted  twice. 


1 

Long-Term  Corrective  Action 


The  Army's  Strategic  Logistics  Agency  has  initiated  two  projects,  the 
Automated  Manifest  System  and  the  Single  Stock  Fund  System.  In  t^  future, 
these  systems  may  reduce  the  outstanding  balance  of  paid-in-transit  items  and 
allow  better  visibility  of  inventory  items-in-transit. 

Automated  Manifest  System.  The  Automated  Manifest  System  is  part 
of  the  "In-Transit  Visibility"  program,  which  the  Army  is  implementing  at 
several  installations.  That  system  will  allow  automated  tracking  of  inventory 
items-in-transit  from  the  wholesale  level  to  the  installation  level.  The  system 
requires  vendors  to  attach  identification  cards  to  each  item  being  shipped.  At 
each  shipping  point,  the  identification  cards  will  be  scanned  and  the  item's 
location  will  be  sent  via  satellite  to  a  central  data  base.  The  database  will  track 
the  location  of  each  item  as  it  is  shipped,  delivered,  and  received.  At 
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installation  level,  identiAcation  cards  will  be  scanned  again,  and  files  in  logistics 
systems  will  be  automatically  updated  to  show  that  the  customer  has  received 
the  item. 

Single  Stock  Fund  Initiative.  The  Single  Stock  Fund  Initiative  is  ^ing 
implemented  at  Fort  Hood,  Texas.  It  is  both  a  financial  system  and  a  logistics 
system,  and  is  being  considered  as  a  migratory  system  to  replace  STARFIARS. 

Under  STARFIARS,  DBOF  is  not  used  to  purchase  inventory  from  wholesale 
sources.  Instead,  the  customer's  funds  are  committed  when  the  customer 
requests  an  item.  When  the  item  reaches  shipping  status,  DBOF  pays  the 
vendor,  and  the  customer  reimburses  DBOF  after  the  receipt  has  been 
processed. 

In  the  Single  Stock  Fimd  Initiative,  the  vendor  will  charge  the  customer 
directly.  This  method  will  not  place  any  additional  restrictions  on  an 
installation's  funds,  since  the  customer's  funds  will  have  been  committed  and 
will  no  longer  be  available  for  any  other  use. 


Interim  Improvements  Needed 


Several  years  may  be  needed  to  fully  develop  and  implement  the  new  systems, 
and  their  effectiveness  is  unknown  at  this  time.  Therefore,  we  believe  that  the 
use  of  an  automated  feature  of  the  SAILS  system,  called  pseudo-receipts,  could 
significantly  reduce  the  number  of  items  in-transit.  With  the  pseudo-receipts 
feature,  the  customer  is  automatically  charged  for  the  item  after  the  item  has 
been  in  shipping  status  (or  in-transit)  for  a  specified  period  of  time. 

The  SAILS  system  uses  four  code  tables  to  control  die  pseudo-receipting 
process.  The  code  tables  determine  when  automated  followup  to  the  customers 
should  take  place,  and  whether  a  pseudo-receipt  should  be  generated.  Although 
regulations  state  the  minimum  number  of  days  that  must  elapse  before  an  item 
can  be  pseudo-receipted,  there  is  no  requirement  that  a  pseudo-receipt  must  be 
generate  within  a  maximtun  number  of  days. 


Conclusion 


The  Army  is  taking  long-term  corrective  actions  to  provide  better  visibility  and 
control  over  in-transit  inventory  items.  However,  short-term  solutions  are 
needed  to  reimburse  DBOF  more  promptly  and  reduce  the  number  of  inventory 
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items  that  are  in-traosit  for  excessive  periods  of  time.  Better  use  of  the  pseudo¬ 
receipts  feature  of  the  S^LS  system  could  provide  the  needed  short-term 
improvement. 


Recommendations,  Management  Comments,  and  Audit 
Response 

1.  We  recommend  that  the  Deputy  Chief  of  Staff  for  Logistics, 
Department  of  the  Army,  in  order  to  ensure  prompt  reimbiu-sement  of  the 
Defense  Business  Operations  Fund,  establish  uniform  criteria  for  its  supply 
iiuBfallatinns  to  use  m  autmn^hig  the  receipting  process  for  paid-in-transit 
itons.  Specifically,  we  recommend  that  the  Standard  Army  Intermediate 
L«Tel  Supply  system's  code  tables  be  modiDed  so  that  itenu  not  reported 
lost  or  stolen  ^thin  an  established  time  frame  are  automatically  pseudo- 
receipted.  If  a  custmner  states  that  the  item  was  never  received,  the 
rmnmand  that  lapped  the  item  should  be  charged. 

Cmnments  from  the  Deputy  Chief  of  Staff  for  Logistics,  Department  of  the 
Army.  Management  stated  that  the  retail  supply  and  inventory  management 
processes,  including  the  pseudo-receipt  feature,  was  being  examined  by  study 
groups  that  are  rewriting  Army  Regulation  710-2.  January  1996  is  Ae 
milestone  for  completing  the  rewrite  of  Army  Regulation  710-2  and  making 
changes  to  logistics  systems. 

Audit  Response.  Although  management's  conunents  suggest  that  appropriate 
long-term  measures  are  being  taken  to  comply  with  our  recommendation, 
short-term  changes  are  needed  in  tihe  interim.  The  SAILS  system's  code  tables 
should  be  modified  so  that  items  not  reported  as  lost  or  stolen  within  an 
established  time  frame  are  automatically  psuedo-receipted. 

We  request  that  the  Deputy  Chief  of  Staff  for  Logistics,  Department  of  the 
Army,  reconsider  our  recommendation  and  provide  revis^  comments  on  this 
final  report,  concurring  or  nonconcurring  with  our  recommendations.  If 
management  concurs,  ^  comments  should  include  the  estimated  dates  for 
completion  of  planned  actions. 

2.  We  recommend  that  the  Director,  Defense  Finance  and  Accounting 
Smice  Ihdianap^  Center,  disclose,  in  footnotes  to  the  financi^ 
statements  of  the  Defense  Business  Operations  Fund  Army  Supply 
Management  business  area,  the  total  value  of  inventories  paid-in-transit 
that  are  more  than  90  days  old,  if  the  amounts  are  considered  matoial. 
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Conunents  from  the  DFAS.  DFAS  concurred  in  principle  with  the 
recommendation,  but  stated  that  accumulating  data  manually  is  not  cost- 
effective  because  support  systems  are  old,  DFAS  plans  to  replace  the  support 
systems,  and  resources  are  limited. 

As  noted  in  the  DFAS  crnmnents  on  Recommendation  A.2.,  the  amount  of 
DBOF  inventory  in-transit  does  not  exceed  the  3-^rcent  threshold  in  the  GAO 
audit  manual^  for  disclosure  of  material  discrepancies  in  footnotes. 

Audit  Respmise.  Management's  comments  are  potentially  re^nsive.  If 
DFAS  has  determi^  that  in-transit  inventories  are  below  the  required 
materiality  thresholds  for  financial  reporting,  we  agree  that  disclosure  is  not 
required.  We  request  that  DFAS  provide  supporting  Monnation  for  their 
assertion  that  materiality  thresholds  are  not  exce^ed.  If  in-transit  inventories 
exceed  materiality  thredjolds  in  the  future,  appropriate  footnotes  will  be 
required.  Smce  tte  DBOF  Army  Supply  Management  Business  Area  combines 
wholesale  and  retail  inventories  for  reporting  purposes,  both  wholesale  ^ 
retail  in-transit  inventories  should  be  consider^  when  determining  materiality 
t^sholds. 


2"GA0  Financial  Audit  Manual"  {GAO/AFMD-12.19.5A),  June  1992. 
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Finding  C.  Access  Controls  and 

Software  Development 
Procedures 

Controls  over  access  to  application  software  and  software  develc^ment 
for  SAILS  and  STARFIARS  needed  improvement.  Specifically: 

0  access  to  SAILS  and  STARFIARS  software  was  granted  to 
users  who  had  no  specific  need  for  it; 

0  a  Terminal  Area  Security  Officer  had  not  been  {^ipointed  for 
the  SAILS  system; 

o  testing  of  software  changes  for  STARFIARS  was  not 
documented;  a^ 

o  SAILS  software  did  not  perform  the  edits  needed  to  detect  and 
reject  erroneous  data. 

The  weaknesses  in  access  controls  occurred  because  the  formation 
Systems  Security  Officer  had  not  received  adequate  training,  and 
therefore  had  not  fully  implemented  the  available  features  of  the 
computer  system  security  software.  The  previous  Terminal  Area 
Security  Officer  for  the  SAILS  system  had  retired  and  had  not  been 
replaced.  Software  testing  was  not  documented  because  outdated  Army 
procedures  instead  of  more  comprehensive  DFAS  procedures  were 
followed.  Edits  to  detect  and  reject  erroneous  data  were  not  being  done 
because  edit  code  tables  were  not  updated  when  the  SAILS  system's 
software  was  chang^.  Collectively,  Aose  we^dmesses  could 
compromise  the  two  systems  and  could  result  in  processmg  of  crroi^us 
data,  and  creating  an  environment  conducive  to  abuse  and  man^ulation. 


Background 


Computers  used  by  the  central  design  activities  to  maintain  both  the 
STARFIARS  and  SAILS  systems  reside  at  the  Multi-functional  Information 
Processing  Activity,  Letterkenny  Army  Depot,  Chambersburg,  Pennsylvania. 
The  central  design  activities  use  a  telecommumcations  netwmic  to  access  the 
computers.  Tte  Information  Systems  Security  Officer  for  the  computers 
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is  assigned  to  the  U.S.  Army  Information  Systems  Software  Center's  Software 
Development  Center  -  Washington  (the  Software  Development  Center  - 
Washington),  Fairfax,  Virginia.  The  Information  Systems  Software  Center  is 
under  the  command  of  the  U.S.  Army  Information  Systems  Engineering 
Command,  Fort  Huachuca,  Arizona. 

Security  Controls.  Army  Regulation  380-19,  "Information  Systems  Security," 
August  1,  1990,  lists  the  requirements  for  computer  security  and  the 
responsibilities  of  the  Information  Systems  Security  Officer.  One  of  those 
responsibilities  is  to  manage  access  controls  for  the  system.  System  access  is  to 
be  retired  when  a  user  has  been  transferred  to  other  duties,  reassigned,  retir^, 
discharged,  or  otherwise  separated.  Sound  computer  security  practices  require 
security  officers  to  limit  software  access  to  personnel  who  have  a  bona  fide  need 
to  use  the  software,  and  to  restrict  access  capabilities  (that  is,  read-only  or 
read/write  access)  to  the  work  requirements  of  fliose  personnel. 

The  Information  Systems  Security  Officer  for  both  the  SAILS  systena  and 
STARFIARS  uses  a  proprietary  software  package.  Access  Control  Facility-2 
(ACF-2),  to  control  access  to  the  mainftame  computer.  The  software  operates 
continuously  to  validate  authorization  before  allowing  access,  and  denies  access 
when  the  request  is  invalid.  Attempts  at  access  by  invalid  users  are  security 
violations,  and  can  be  recorded  for  subsequent  reporting  and  review.  If  ACF-2 
permits  a  user  to  access  a  system,  the  user  is  restricted  to  the  resources  that  he 
or  she  is  authorized  to  access.  ACF-2  monitors  acwss  from  all  points  of  entry, 
inriiiding  terminals  and  batch  processing  submissions.  ACF-2  uses  softw^ 
tables,  developed  by  the  Information  Systems  Security  Officer,  to  determine 
which  users  are  authorized  to  access  the  computer  system  and  the  levels  or  types 
of  access  that  each  will  have. 

Edit  Features.  Edit  features  are  normally  built  into  application  software  to 
screen  transaction  data  for  accuracy.  Typically,  edit  features  reject  erroneous 
data  and  generate  reports  that  show  why  the  data  were  rejected,  so  that  users 
can  correct  the  errors  and  resubmit  the  data.  Edit  features  can  be  built  into  the 
application  software  or  can  compare  ii^ut  data  with  tables  of  valid  codes. 
Well-designed  edit  features  are  necessary  for  adequate  controls  over  the 
accuracy  and  reliability  of  data. 

Office  of  Management  and  Budget  (0MB)  Circular  A-130,  "Management  of 
Federal  Information  Sources,"  December  24,  1985,  r^uires  Federal  agencies  to 
ensure  that  data  ffles,  computer  programs,  and  equipment  are  secured  against 
unauthoriz^  changes,  unauAorized  disclosure  and  use,  and  destruction. 
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Access  to  Software  Libraries 


The  software  libraries  for  both  the  SAILS  system  and  STARFIARS  were 
exposed  to  unauthorized  access  because  the  security  officer  had  not 
system  access  controls  effectively  and  had  not  bron  trained  to  use  flie  ACF-2 
computer  security  software.  The  software  libr^es  are  data  files  that  contmn 
program  source  codes,  job  control  language,  and  executable  progranu  for  the 
computer  systems.  We  could  not  readUy  determine  whether  unauthorized  users 
had  accessed  the  libraries. 

Computer  Access  Controls.  Our  review  of  controls  over  access  to  the 
computer  showed  that  sixen^loyees  other  than  the  Mormation  Systems 
Security  Officer  had  read/write  access  to  the  ACF-2  security  software  «^to 
protect  the  systems.  Four  employees  were  systems  programmers  who  Mwed 
read/write  access  in  order  to  to  transfer  computer  functions  from  tiie  Software 
Development  Center  -  Washington  to  Le^rkenny  Army  De^,  Ctambersburg, 
Pennsylvania.  (This  transfer  was  ongoing  during  our  audit.)  One  en^loyw 
was  the  Information  Systems  Security  Officer  at  Letterkenny  Army  Depot,  who 
also  needed  access  to  support  the  transfer  of  computer  ftuwtions  to  Letterkenny. 
The  fifth  employee  did  not  need  read/write  access.  Granting  icad/write  access 
to  the  six  employees  facilitated  the  transfer  of  computer  fiinctions  at  die  expense 
of  security  controls  over  the  SAILS  system  and  STARFIARS  software. 

In  addition,  10  employees  at  the  Software  Development  Center  -  Washington 
had  read/write  access  to  the  STARFIARS  software.  Seven  of  those  employees 
worked  in  the  quality  assurance  division,  two  were  applications  programmers, 
and  one  was  the  Information  Systems  Security  Officer.  None  of  those 
employees  needed  read/write  access  to  STARFIARS  at  the  time  of  our  audit. 

Similarly,  seven  employees  from  the  SAILS  system  design  activity  had 
read/write  access  to  almost  all  SAILS  systan  so^are.  Five  of  those 
employees,  including  the  system  librarian,  worked  in  the  quality  assurairce 
division.  One  employee  was  an  applications  programmer,  and 
performed  the  independent  verification  and  validation  of  the  most  recent  SAILS 
system  change  package  in  early  1994.  Granting  read/write  access  to  the 
applications  programmer  eliminated  the  separation  of  duties^  between  software 
programmers  and  employees  who  tested  the  software  for  quahty  assurance.  The 
applications  programmer  no  longer  needed  access  because  the  testing  had  been 
completed.  Only  the  system  librarian  should  have  been  granted  lead/wnte 
access. 

Other  problems  with  the  ACF-2  access  control  tables  affected  the  SAILS 
system’s  production  software.  At  least  four  enq^loyees  who  no  longer  worked 
with  the  SAILS  system  had  access.  One  user  identification  number  in  the  access 
control  table  was  no  longer  assigned  to  a  user.  One  enqiloyee  who  had  left 
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military  service  on  February  25,  1994,  still  had  read  access.  Two  employees 
had  more  than  one  user  identification  code. 

Although  the  ACF-2  software  capability  can  record,  or  log,  any  attempts  at 
improper  access  or  access  to  sensitive  files,  the  security  log  f(Mture  was  not 
being  used.  Therefore,  the  security  officer  could  not  readily  detect  any 
improper  access  to  the  system  or  review  access  to  sensitive  files. 

Generally,  applications  programmers  should  not  have  access  to  production 
libraries;  such  access  exposes  software  to  unauthorized  changes.  Ae  SAILS 
system's  software  libraries  should  be  controlled  by  the  system  librarian  to 
ensure  that  only  those  routines  scheduled  for  modification  are  changed. 
Figure  3  shows  an  access  matrix  that  could  serve  as  a  guide  for  proper  access 
controls  and  separation  of  duties  for  a  central  design  activity. 
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(1)  Access  is  allowed  but  should  be  restricted  to  need  to  know. 

(2)  Use  oi  sensitive  utilities  should  be  logged  by  security  system. 

(3)  All  access  should  be  logged  by  security  ^tem. 

(4)  Access  should  be  limited  to  execution  and  job  scheduling. 

Figure  3.  Sample  Access  Controls  Matrix 
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Security  Officer  Training.  The  weaknesses  in  access  controls  occurred 
because  the  Information  Systems  Security  Officer; 

0  had  not  designed  the  access  tables  for  ACF-2  to  prevent  unauthorized 

access, 


0  had  not  reviewed  the  existing  access  tables  since  his  appointment  as 
security  officer  in  1991, 

o  had  not  ensured  that  personnel  who  had  left  the  department  were 
dropped  from  the  access  list,  and 

o  had  not  restricted  access  to  conform  to  employees'  work 
requirements. 

Those  weaknesses  were  caused  by  the  Information  Systems  Security  Officer's 
unfamiliarity  with  the  ACF-2  security  software.  The  Information  Systems 
Security  Officer  told  us  that  he  had  received  minimd  training  on  the  ACF-2 
package;  funding  shortages  had  prevented  further  training- 


Terminal  Area  Security  Officer  for  SAILS 


A  Terminal  Area  Security  Officer  for  the  SAILS  system's  central  design  activity 
had  not  been  assigned  as  required.  Army  Regulation  380-19  requires  the 
Information  Systems  Security  Officer  to  ensure  that  Terminal  Ar^  Security 
Officers  are  appointed  for  each  terminal  or  contiguous  group  of  terminals  that  is 
not  under  the  direct  control  of  the  Information  Systems  Security  Officer.  The 
Terminal  Area  Security  Officer  is  responsible  for  issuing  written  inactions  on 
computer  security,  managing  access  controls  to  temiinals,  monitoring  lo^l 
compliance  with  security  procedures,  and  reporting  actual  or  susp^ted  security 
violations  to  the  Mormation  Systems  Security  Officer.  The  previous  Terminal 
Area  Security  Officer  had  retired  in  September  1993.  During  our  audit, 
managers  at  the  SAILS  system's  central  design  activity  were  initiating  corrective 
action  to  appoint  a  Terminal  Area  Security  Officer. 


Documentation  for  Software  Testing 


Pecangf  test  plans  were  not  developed  for  interim  changes  to  the  STARFIAM 
software,  the  software  may  contain  undetected  errore.  Documented  testing 
plans  and  results  were  not  available  for  16  interim  software  changes  to 
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STARFIARS.  DFAS  Headquarters  had  developed  detailed  procedures  for 
software  management,  as  outlined  in  "Configuration  Management  Systems 
Clumge  Request  Regulation,"  DFAS  Regulation  7920. 3-R,  Jidy  1992. 
However,  the  STARFIARS  software  was  not  tested  in  accordance  witii  those 
procedures.  Instead,  personnel  used  Army  regulations  that  had  been  in  effect 
before  DFAS  was  given  responsibility  for  STARFIARS.  When  viewed 
individually,  the  lack  of  documented  test  plans  seemed  insigmficant.  However, 
because  STARFIARS  software  is  used  for  significant  financial  calculations,  the 
lack  of  formal  test  plans  and  results  for  16  consecutive  interim  changes 
increased  the  risk  ttiat  the  software  may  contain  errors.  The  interim  software 
changes  were  made  during  a  3-year  period. 


Edit  Programs 


Because  of  an  oversight,  personnel  at  the  Central  Design  Activity  had  not 
updated  an  edit  table  used  by  the  SAILS  system.  The  edit  table,  which 
identified  erroneous  data,  should  have  been  updated  to  reflect  changes  in  the 
SAILS  system.  We  could  not  determine  how  long  the  outdated  edit  table  had 
been  used  or  whether  its  use  had  resulted  in  data  errors.  We  brought  this 
weakness  to  the  attention  of  the  functional  proponent  for  the  SAILS  system. 
Management  corrected  the  problem  immediately;  therefore,  we  are  not  making 
a  recommendation  regarding  edit  programs. 


Conclusion 


Better  controls  were  needed  over  access  to  the  SAILS  and  STARFIARS 
systems.  Ihe  Information  Systems  Security  Officer  at  the  Software 
Development  Center  -  Washington  had  not  received  adequate  training  in  the  use 
of  security  software.  Access  controls  over  software  libraries  and  security 
software  were  inadequate.  A  Terminal  Area  Security  Officer  had  not  been 
appointed  at  the  SAILS  central  design  activity,  and  documentation  for 
STARFIARS  software  testing  was  unavailable. 
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Recommendatioiis,  Management  Comments,  and  Audit 
Response 

1.  We  recommend  that  the  Director,  Software  Devdoimient  Center  - 
WashingUm: 

a.  Provide  additional  security  training  to  the  Information  Systems 
Security  Officer  at  the  Software  Development  Cento  -  Washington,  to 
include  training  on  the  Access  Cmitrol  Facility-2  security  software. 

Comments  from  Software  Development  Center  -  Washington.  The 
Commander,  Software  Development  Center  -  Washington,  concur^  with  the 
recommendation.  He  stated  that  a  request  to  train  the  Information  Systems 
Security  Officer  on  the  Access  Control  Facility-2  security  software  had  bwn 
submitted  to  the  Center's  training  coordinator,  and  that  additional  training 
would  also  be  requested. 

b.  l  imit  access  to  software  libraries  for  the  Standard  Army 
Intermediate  Level  Supply  System  and  the  Standard  Anny  Financial 
Inventory  Accountii^  and  Reporting  System  to  personnd  wdioae  duties 
require  such  access,  in  a  manner  that  provides  adequate  separation  of 
duties. 

Comments  from  Software  Development  Center  -  Washington.  The 
Commander,  Software  Development  Center  -  Washington,  concurred  with  the 
recommendation.  He  stated  that  management  would  evaluate  users' 
requirements  for  continued  access  to  the  SAILS  and  STARFIARS  systems,  and 
would  use  the  ACF-2  security  software  to  protect  software  libraries.  He  also 
stated  that  in  order  to  eliminate  unauthorized  access  in  the  future,  the  Software 
Development  Center  -  Washington  would  coOTdinate  these  efforts  with  the 
Terminal  Area  Security  Officer. 

Audit  Response.  Although  the  comments  from  the  Software  Development 
Center  -  Washington  were  responsive,  planned  completion  dates  for  corrective 
actions  were  not  provided.  We  request  that  the  Software  Development  Center  - 
Washington  provide  planned  completion  dates  in  response  to  our  final  report. 

c.  Limit  access  to  the  Access  Control  Facility-2  security  software  to 
personnel  who  are  resptminble  for  computer  security. 

Comments  from  Software  Development  Center  -  Washingttm.  The 
Commander,  Software  Development  Center  -  Washington,  concurred  with  the 
recommendation  and  stated  that  normal  access  has  been  restored  for  the  tystems 
programmers  who  had  special  access  to  the  ACF-2  security  system  durmg  the 
transfer  of  computer  functions.  For  the  applications  programmers  who  work  in 
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quality  assurance,  access  has  also  been  limited.  These  actions  were  completed 
in  July  1994. 

d.  Review  prior  access  to  the  production  libraries  and  Access 
Control  Facility-2  software  for  the  Standard  Army  Intermediate  Level 
Supply  System  and  the  Standard  Army  Financial  Inventory  Accounting  and 
Reporting  System,  to  determine  whether  any  users  have  had  improper 
access  to  these  systems  and  how  unauthorized  access  may  have  affected  the 
system's  int^ity. 

Comments  from  Software  Development  Center  -  Wadiington.  The 
Commander,  Software  Development  Center  -  Washington,  concurred  with  the 
recommendation  and  stated  that  in  July  1994,  the  Center's  Information  Systems 
Security  Officer  and  ACF-2  administrator  had  reviewed  both  systems' 
production  libraries  for  unusual  updates  to  data. 

e.  Activate  the  security  log  feature  of  the  ACF-2  security  software 
and  require  the  Information  Systems  Security  Officer  to  review  the  log  for 
attempts  to  improperly  aoress  the  system  and  use  sensitive  fOes. 

Comments  from  Software  Development  Center  -  Washington.  The 
Commander,  Software  Development  Center  -  Washington,  concurred  with  the 
recommendation  and  stated  that  security  reports  are  now  being  generated  and 
are  reviewed  daily  by  the  Center's  Information  Systems  Security  Officer. 

f .  Verify  that  a  Terminal  Area  Security  Officer  has  been  appointed 
at  the  U.S.  Army  Information  Systems  Software  Developmrat  Center  -  Lw, 
Fort  Lee,  Virginia,  as  required  by  Army  Regulation  380-19,  "Information 
Systems  Purity,"  August  1, 1990. 

Comments  from  Software  Development  Center  -  Washington.  The 
Commander,  Software  Development  Center  -  Washin^n,  concurred  with  the 
recommendation  and  stated  that  a  Terminal  Area  Security  Officer  was  appointed 
on  August  29,  1994. 

2.  We  recommend  that  the  Director,  Defense  Finance  and  Accounting 
Service  Indianapolis  Center,  Fort  Beqjamin  Harrison,  Indiana,  develop 
procedures  and  controls  for  its  software  development  staff  to  verity  the 
adequatty  of  documratation  of  all  software  testing  {dans  and  results  for  the 
Standard  Army  Financial  Inventory  Accounting  and  Reportii^  System. 

Comments  from  DFAS.  The  Deputy  Director  for  Business  Funds,  DFAS, 
concurred  with  the  recommendation  and  stated  that  current  DFAS  guidance 
provides  the  procedures  and  controls  we  recommended.  All  future  tests  will  be 
the  subject  of  formal  test  plans  develop^  in  compliance  with  the  DFAS 
guidance.  All  such  plans  and  their  results  will  be  maintained  for  audit  purposes. 
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Finding  C.  Access  Controls  and  Software  Derelopment  Procedures 


The  functional  proponent  for  STARFIARS  had  written  verification  that  the 
16  intp-rim  change  packages  referred  to  in  the  audit  report  were  tested  and 
validated  by  system  users.  Interim  change  packages  are  operationally  validated 
as  follows: 

0  A  description  of  the  corrective  action  in  the  change  package  is  sent  to 
the  test  site. 

o  The  code  for  the  interim  change  is  sent  to  a  user,  who  tests  the 
changes. 

0  The  lead  site  tests  the  change  and  informs  the  proponent  of  the  results. 

0  Depending  on  the  test  results,  the  cbpge  package  is  revised  to  correct 
any  deficiencies  or  is  released  for  implementation  by  all  users. 

Audit  Response.  The  comments  from  the  Deputy  Director  for  Business  Funds, 
DFAS,  were  responsive.  We  were  aware  that  the  functional  proponent  for 
STARFIARS  had  written  verification  that  the  16  interim  changes  1^  been 
operationally  tested.  However,  we  did  not  believe  that  the  tests  constituted  an 
adequate  quality  assurance  review  of  the  changes.  Also,  the  tests  had  not  been 
conducted  in  accordance  with  DFAS  guidance.  Therefore,  a  more  formal 
fpgfing  process  is  warranted,  as  proposed  by  management.  Smce  all  future 
software  changes  will  include  fon^  test  plans,  as  the  DFAS  comments  stated, 
we  consider  the  corrective  action  for  this  recommendation  to  be  complete. 
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Part  m  -  Additknial  Information 
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Appendix  A.  Variances  Reported  Between  the  SAILS  System  and  ST. 
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^The  ALF-42B  "Price  Extmsion  anl  RecoiKilutkm"  lepoit  was  not  available. 
**The  installation  fiotne  was  not  provided. 


Appendix  B 


Reconunendation 

Reference 


A.I.,  A.2. 


B.l. 


B.2. 


C.l.a,  C.l.b., 
C.l.c.,C.l.d., 
C.l.e-.C.l.f. 

C.2. 


Summary  of  Potential  Benefits 
Resulting  From  Audit 


Deacr^on  of  Benefit 

Type  of  Benefit 

Data  Accuracy,  bnproved  accuracy 
in  reporting  of  inventory  balances. 

Nonmonetary 

Internal  Controls.  Improved 
controls  over  in-ttansit  inventories. 

Notmumetary 

Data  Accuracy.  Full  disclosure  of 
in-transit  inventories  on  financial 
statraneiUs. 

Nonmonetary 

Internal  Ctmtrols.  Improved 
controls  over  access  to  computer 
terminals. 

Nonmonetary 

Internal  Omtrols.  Improved 
counts  over  systrai  testing 
procedures. 

Nomnonetary 

34 


Appendix  C.  Organizations  Vidted  or  Contacted 


Office  of  the  Secretary  of  Defense 

Assistant  Deputy  Under  Secretary  of  Defense  for  Logistics  (Logistics  Systems 
Development),  Washington,  DC 


Department  of  the  Army 

Headquarters,  U.S.  Army  Forces  Command,  Fort  McKierson,  GA 
U.S.  Army  Training  and  Doctrine  Command,  FotI  Monroe,  VA 
U.S.  Army  Air  Defense  ArtiUery  Center,  Fort  Bliss,  TX 
U.S.  Army  Aviation  Center,  Fort  Rucker,  AL 
U.S.  Army  Garrison,  Fort  Bclvoir,  VA 
U.S.  Army  Information  Systems  Command,  Fort  Huachuca,  AZ 

U.S.  Army  Information  Systems  Software  Development  Center  Lee,  Fort  Lee,  VA 
U.S.  Army  Strategic  Lo^cs  Agency,  Alexandria,  VA 
U.S.  Army  Information  Systems  Engineering  Command,  Fort  Huachuca,  AZ 
U.S.  Army  Audit  Agency,  Alexandria,  VA 


Defense  Agencies 

Defense  Finance  and  Accountii^  Service  Center,  Indiarngwlis,  IN 
Defense  Accounting  OfficeTrort  Bliss,  TX 
Defense  Accounting  Office,  Fort  Rucker,  AL 
Defonse  Accounting  Office,  Fort  Lee,  VA 
Defense  Accounting  Office,  Fort  Belvoir,  VA 
Defense  Information  Systems  Agency,  Arlington,  VA 


Other  Defense  Organizations 

U.S.  Joint  Logistics  Systems  Carter,  Dayton,  OH 

Non-Defense  Federal  Organizations 

U.S.  General  Accounting  Office,  Washington,  DC 

Federal  Accounting  Standards  Advisory  Board,  Washington,  DC 
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Appendix  D.  Report  Distribution 


Office  of  the  Secretary  of  Defense 

Under  Secretary  of  Defense  (Comptroller)  . »  s 

Assistant  Secretary  of  Defense  (Command,  Control,  Communications  and  InteUigence) 


Department  of  the  Army 

Secretary  of  the  Army 

Deputy  Chief  of  Staff  for  Logistics,  Supply  Policy  Division 
Commander,  U.S.  Army  Forces  Command,  Fort  McPherson,  GA 
Commander,  U.S.  Army  Training  and  Doctrine  Command,  Fort  Monroe,  VA 
Commander,  U.S.  Army  Air  Defense  Artillery  Center,  Fort  Bliss,  TX 
Commander,  U.S.  Anny  Aviation  Center,  Fort  Rucker,  AL 
Commander,  U.S.  Army  Garrison,  Fort  !^lvoir,  VA 
Commander,  U.S.  Army  Information  Systems  Command,  Fort  Huachuca,  AZ 

Commander,  U.S.  Army  Information  Systems  Software  Development  Center  -  Lee, 

Fort  Lee,  VA  .  ^  . 

Commander,  U.S.  Army  Information  Systems  Engmeenng  Command, 

Fort  Huachuca,  AZ  ^  ^  •  xr* 

Commander,  U.S.  Army  Information  Systems  Software  Center,  Fort  Belvoir,  VA 
Washington  Development  Center,  Fort  Belvoir,  VA 
Director,  U.S.  Army  Strategic  Logistics  Agency,  Alexandria,  VA 
Auditor  General,  U.S.  Army  Audit  Agency 


Defense  Agencies 

Director,  Defense  Finance  and  Accounting  Service 

Director,  Defense  Finance  and  Accounting  Service  Indianapolis  Center 
Director,  Defense  Accounting  Office,  Fort  Bliss,  TX 
Director,  Defense  Accounting  Office,  Fort  Rucker,  AL 
Director,  Defense  Accounting  Office,  Fort  Lee,  VA 
Director,  Defense  Accounting  Office,  Fort  Belvoir,  VA 
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Non-Defense  Organizations 

Office  of  Managonent  and  Budget  .  . .  «... 

Technical  Information  Center,  National  Security  and  International  Affairs  Division, 

U.S.  General  Accounting  Office 

rhairman  and  Ranking  Minority  Member  of  Each  of  the  Following  Congressional 
Committees  and  Subcommittees: 

Senate  Committee  on  Appropriations 

Senate  Subcommittee  on  Defense,  Committee  on  Appropriations 
Senate  Committee  on  Armed  Services 

Subcommittee  on  Force  Requirements  and  Personnel,  Committee  on  Armed 
Services 

Senate  Committee  on  Governmental  Affairs 
House  Committee  on  Appropriations 

House  Subcommittee  on  Defense,  Committee  on  Appropriations 
House  Committee  on  Armed  Services 

House  Subcommittee  on  Military  Forces  md  Personnel,  Committee  on  Armed  Services 
House  Committee  on  Government  Operations 

House  Subcommittee  on  Lcgislatitm  and  National  Security,  Committee  on  Government 
Operations 


37 


This  page  was  left  out  of  orignial  document 
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Part  IV  -  Management  Cmnments 


Dq^ty  Chief  of  Staff  for  Logistics  Coraments 


dalo-smp 


DEPARTMENT  OF  THE  ARMY 
OfFICi  OF  TMt  MFUry  CHK F  OF  STAFF  FOP  LOGISTICS 
SMAMIV  FCNTAOON 
WASHMOTON.  DC  Se31CM>SOO 


13  SEP  1994 


MEMORANDUM  THRU 
DIRECTOR  OF  THE  ARMY  STAFF 

ASSISTANT  SECRETARY  OF  THE  ARMY  (INSTALLATIONS,  LOGISTICS  AND 
ENVixONMENT) 

FOR  DIRECTOR  OF  FINANCIAL  MANACBHENT,  OFFICE  OF  THE  INSPECTOR 
GENERAL,  DEFARTMEKT  OF  DEFENSE 

SUBJECT:  Army  Roport  of  Applications  Controls  Ovor  Sslactsd 
Portions  of  ths  Standard  Timy  Intarmadiata  Lavel  Supply  Systea 
(Project  No,  3FG-2020)— INFOWIATICW  MEMORANDUM 


1.  This  is  in  rafaranca  to  HQ,  USAAA  memorandum  of  H  July  1994 
(Tab  A)  which  askad  tha  ODCSIOG  to  respond  to  your  memorandum  of 
30  June  1994  (Enel  to  Tab  A) .  Yottr  mamorandua  asked  that  ODCSIOG 
provide  commanta  and  a  statamant  of  correct iva  action  to  be 
taken . 

2.  This  is  an  interim  reply.  Activities  outside  ODCSX^  will  be 
tasked  for  final  raply  information.  The  final  reply  is  expected 
to  be  forwarded  on  7  October  1994.  Replies  in  those  areas  for 
which  ODCSLOG  has  staff  rasponsiblllty  ara  at  Tab  B. 

FOR  THE  DEPUTY  CHIEF  OF  STAFF  FOR  LOGISTICS: 


2  Ends 


JOHN  J.  CUSICK 
Major  General,  GS 
irector  of  Supply 
and  Haintanance 


CF: 

HQDA^  VeSA,  DCSLOG,  SAAG-PRP*A, 
SAIG-PA,  DALD-ZXA 


CDR,  AMC 


SAILE  *  Concur,  Mr.  Croom/6975727  (by  conference) 

DFAS  -  Noted,  Hr.  Dere/DSH  999-3041  (by  phone) 

USAISC  -  Noted.  Mr.  Fit*patrlck/DSN  879-2514  (by  phene 


Mr.  Stinson,‘X4 67513 
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Deputy  Chief  of  Staff  for  Logistics  Cfunmeiits 


Responsfis 

to 

Office  of  the  Inspector  General 
Department  of  Defense 
Draft  of  a  Proposed  Audit  Report, 
••Application  Controls  Over  Selected  Portions  of  the 
standard  Army  Intermediate  Level  Supply  System” 
Project  Number  3FG--20^0, 
dated  June  30,  1994 


Finding  A»  Reconciliation  of  Inventory  Balances 

Unreconciled  net  differences  exited  between  inventory 
balances  maintained  by  the  Standard  Army  Intermediate  I^vel 
Supply  System  (SAILS)  and  the  Standard  Army  Financial  Inventory 
Accounting  and  Reporting  System  (STARFIARS) .  The  differences 
totaled  $75.3  million,  end  the  gross  amount  of  errors  was  $135 
million.  Those  conditions  occurred  because  38  (91  percent)  of 
the  42  Defense  Accounting  Offices  (DAOs)  we  reviewed  were  not 
performing  the  required  reconciliations  between  the  two  systems. 
As  a  result,  the  imbalances  materially  affected  the  accuracy  of 
management  and  financial  reports  at  the  retail  inventory  level. 


Recommendation  l: 

We  recommend  that  the  Director,  Defense  Finance  and 
Accounting  Sarvice,  and  the  Deputy  Chief  of  Staff  for  Logistics, 
Department  of  the  Army: 

a.  Resolve  the  inconsistencies  between  inventory  balances 
maintained  by  the  STARFIARS  and  the  SAILS  system.  Efforts 
should: 

(1)  Direct  the  Defense  Accounting  Offices  to  perform 
the  required  reconciliations. 

(2)  Monitor  the  status  of  reconciliations  to  ensure 
that  they  are  performed  monthly. 

(3)  Train  employees  at  the  Defense  Accounting  Offices 
in  the  most  efficient  methods  of  performing  reconciliations. 

ODCRtiOO  Response:  No  Army  response  required. 

b.  Use  Integrated  data  bases  for  their  replacement  systems 
for  the  STARFIARS  and  the  SAILS  system,  in  order  to  eliminate  the 
need  to  reconcile  inventory  balances  between  the  two  systems. 
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Deputy  Chief  of  Staff  for  Logistics  Comments 


ODCBU>o  x«speBs«: 

The  SAILS  near-tena  replacewent  Standard  Arwy  Management 
Infonaation  Syatam  (STAMI6)  -  Standard  Army  Retail  Supply  System- 
Objective  (5ARSS-0)  -  i*  not  planned  to  be  Integra teu  with 
STARFIARS?  however,  it  is  an  interactive  system.  It  is  more 
efficient  in  providing  essential,  timely  data  exchange  to  and 
from  STARFIARS.  As  mentioned  in  this  repgrt,  the  Army  is  testing 
the  Single  Stock  Fund  concept  thnt  extends  the  wholesale  stock 
fund  down  to  the  instillation  or  equivalent  level*  This  will 
eliminate  the  need  for  retail  Defensr  Business  Operating  Fund 
(DBOF)  accounting  and  reporting  at  the  retail  level.  The  Army 
will  not  hove  an  integrated  system  to  replace  the  present 
systems;  however,  the  Army's  Total  Distribution  Plan  will 
integrate  all  efforts  to  implement  or  improve  the  interactive 
relationships  between  all  Combat  Service  Support  systems. 

Reooaneadation  2:  No  Army  response  required. 

rzVDING  B.  Xnventory  Pald-im-Transit 

The  values  of  in-transit  inventories  were  overstated  and 
included  inventory  items  that  had  been  in  an  In-translt  status 
since  1990.  About  $88.0  million  of  the  $141.1  million  in-transit 
inventories  has  been  in  an  in-transit  status  for  more  than  90 
days.  That  condition  was  primarily  caused  by  failure  of  the 
customers  io  promptly  return  the  receiving  documents  upon  recript 
of  the  inventory  items  and  the  SAILS  system's  inability  to 
provide  sufficient  information  to  item  managers  for  rapid 
research  and  resolution.  As  a  result,  the  Army  DBOF  supply 
business  area  incurred  delays  in  reimbursements  for  those  items 
and  overstated  the  value  of  the  inventories  on  its  financial 
statements . 

While  the  Army  has  initiatives  to  improve  controls  over  "in¬ 
transit"  inventory  items,  the  initiatives  will  take  time  to 
develop.  Better  controls  are  needed  in  the  interim. 

Reoomme&dation  H 

We  recommend  that  the  Deputy  Chief  of  Staff  for  Logistics, 
Department  of  the  Army,  establish  uniform  criteria  to  ba  used  by 
its  supply  installations  to  automate  the  receipting  process  for 
paid-in-transit  itsms  to  ensure  replenishment  of  the  DBOF. 
Specifically,  wa  recommend  the  SAILS  system  code  tables  be 
modified  so  that  items  not  r^rted  lost  or  stolen  within  an 
established  timeframe  are  automatically  pseudo-raceipted.  In 
cases  when  the  customer  replies  that  the  item  was  nevtr  received, 
the  shipping  command  should  be  chairged  for  the  item. 
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Deputy  Chief  of  Staff  for  Logistics  Comments 


0DCSl/)0  MBponsa:  Noted,  The  entire  retail  supply  and  inventory 
Minagenent  paradigw,  to  include  repair  parte  requirements  and 
managenent,  is  being  segmented  into  processes  and  worked  during 
the  Army  Regulation  71)-2  rewrite  by  internal  velocity  management 
and  individual  process  area  study  groups.  The  pseudo^receipt 
process  will  be  an  integral  part  of  the  review.  Under  the 
Standard  Army  Retail  Supply  System-Objective  pseudo-receipting 
will  not  exist.  The  milestone  for  completion  of  Army  Regulation 
710-2  rewrite  and  logistical  STAKIS  change  is  Jan  96. 

Eeeenandatiom  2t  No  Amy  response  required, 

TimXMQ  C.  Aoosss  CoatrelB  and  software  Development  Procedures 

Controls  over  access  to  application  software  and  software 
development  for  SAILS  and  STARFIARS  needed  improvement. 

Specif ioally, : 

o  Access  to  the  SAILS  and  STARFIARS  software  was  allowed  to 
users  who  had  no  specific  need  for  that  access. 

o  A  SAILS  system  Terminal  Area  Security  Officer  was  not  in 
place. 

o  Testing  of  software  changes  for  STARFIARS  was  not 
documented • 

o  Needed  edits  to  direct  and  reject  erroneous  data  were  not 
being  done  by  SAILS  system  software. 

The  access  control  weaknesses  occurred  because  the 
Information  Systems  Security  Officer,  due  to  a  lack  of  training, 
had  not  fully  implemanted  the  available  features  of  the  computer 
system  security  software.  The  SAILS  System  Terminal  Area 
Security  Officer  was  not  In  place  because  the  previous  officer 
had  retired  and  no  new  officer  had  been  assigned  to  replace  him. 
Software  testing  %ras  not  documented  due  to  neglect.  Edits  to 
detect  and  reject  erroneous  data  were  not  being  done  because  the 
edit  code  tables  were  not  updated  as  changes  were  made  to  the 
SAILS  system  eoftware.  Collectively,  those  weaknesses  described 
could  result  in  compromise  of  the  two  systems  and  processing  of 
erroneous  data,  which  could  provide  an  environment  conducive  to 
fraudulent  acts. 


Deputy  Chief  of  Staff  for  Logistics  Conunents 


RttCOBmandatloD  1 : 

He  rccomnend  that  the  Director,  Washington  Developwent 
Cr.nter : 


a.  Provide  additional  security  training  to  the  Washington 
Developacnt  Center  Inf creation  Systens  Security  Officer  to 
include  training  on  the  Access  Control  Faoility-2  (ACF-’2) 
security  software. 

b.  Lisit  access  to  software  libraries  for  the  SAILS  system 
and  the  STAPFXARS  to  personnel  whose  duties  require  such  action 
in  a  manner  that  would  provide  adequate  separation  of  duties. 

c.  Limit  access  to  the  ACF-2  security  software  to  those 
personnel  that  have  computer  security  responsibilities. 

d.  Review  prior  access  to  the  SAILS  system  and  the  STARFIARS 
production  libraries  and  ACF-2  to  determine  if  any  improper 
access  to  these  systems  have  been  made  and  to  determine  the 
effects  of  the  unauthorized  access  on  the  integrity  of  the 
system. 


e.  Activate  the  security  logging  feature  of  the  ACF-2 
security  system  and  require  its  security  officer  to  review  the 
log  for  attempts  at  improper  access  to  the  system  and  usage  of 
sensitive  files. 

f.  Verify  that  a  Terminal  Area  Security  Officer  has  been 
appointed  at  the  Systems  Design  Center  at  Fort  Lee  as  required  by 
Army  Regulation  380-19,  "Information  Systems  Security,"  August  1, 
1990. 

ODCSLOQ  Response:  Obtaining/ awaiting  input  from  USAISC. 

Reoomaaadation  2i 

Wa  recommend  that  the  Director,  Defense  Finance  and 
Accounting  Sarvica-Indlanapolis  center,  develop  procedures  and 
controls  for  its  software  development  staff  to  verify  the 
adequacy  of  documentation  of  all  software  test  plane  and  teeting 
results  for  the  STARFIARS. 

ODCSLOG  ReepOBse:  No  Army  response  required. 
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Defense  Finance  and  Accounting  Sendee  Comments 


defense  finance  and  accounting  service 


1«91  JEFFERSON  DAVIS  HIGHWAY 
ANLINGTON,  VA  >2240-8891 


mum 


DFAS-HQ/AB 


MEMORANDUM  FOR  OFFICE  OF  THE  INSPECTOR  GENERAL,  DOD 

(ATTMl  DIRECTOR,  FINANCIAL  NANAAIMENT) 

SUBJECT:  DoD  Drsft  Rspoxrt,  ••Application  Controls  Ovsr  Sslocstsd 

Portions  of  ths  standard  Ar«y  Intomadiata  Lovol  aui^ly 
Systam,**  datod  Jvina  30,  1994  (Projoct  Cods  3FG-a020} 

Your  nsMoranduM  of  Juns  30,  1994,  provided  the  sitibjsct  draft 
report  for  review  and  coaiMent.  We  have  reviewed  the  report,  and 
our  cowaents  are  included  in  the  attachment. 

If  additional  information  is  req[uired,  my  point  of  contact 
is  Mr.  Ron  Bishop,  DFAS-HQ/AB,  at  (703)  607-0741. 


Deputy  Director  for  Businese  Funds 


Attachment 
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Defoise  Finance  and  Accounting  Service  Comments 


Draft  Raport 

APPLZCATXOK  CONTROLS  OVER  SELECTED  PORTIONS  OF 
THE  STANDARD  ARMY  INTERMEDIATE  LEVEL  SUPPLY  SYSTEM 
PROJECT  CODE  3FG-2020 


•  PMrtrtUMndation  A,l:  Wft  racofflmand  that  tha  Diractor,  Defanaa 
Finance  and  Accounting  Service,  and  tha  Deputy  Chief  of 
Staff  for  Logietica,  Departaent  of  tha  Army; 

a.  Reaolve  the  inconaiatenciea  between  inventory  balancea 
aaintainad  by  the  standard  Amy  Financial  inventory 
Accounting  and  Reporting  Byetea  and  the  Standard  Army 
Intermediate  Level  Supply  System.  Efforts  should: 

(1)  Direct  the  Defense  Accounting  Offices  to  perform 
the  required  reconciliations. 

(2)  Monitor  the  status  of  reconciliations  to  ensure 
that  they  are  performed  monthly. 

(3)  Train  employees  at  tha  Defsnse  Accounting  Offices 
in  the  meet  efficient  methods  of  perfoming  reconciliations. 

b.  Use  integrated  data  bases  for  their  replacement  ey stems 
for  the  Standard  Amy  Financial  Inventory  Accounting  and 
Raporting  Syetem  and  the  Standard  Army  intemadiato  Level 
Supply  System,  in  order  to  eliminate  the  need  to  reconcile 
Inventory  balances  betwesn  ths  two  systsms. 

•  nvAfl  Pamnonse:  Concur  in  principls.  The  systems  audited. 
Standard  Amy  Financial  inventory  Accounting  and  Reporting 
System  (STAIFZARS)  and  the  Standard  Amy  Intermediate  Level 
Supply  System  (SAILS)  are  older  systems.  The  financial 
syetem,  STARFIARS,  is  not  expectsd  to  become  an  interim 
migratory  system  to  eusq>ort  the  DBOF,  and  SAILS  system,  a 
logistice  management  system,  ie  not  under  DFAS  functional 
control.  Reaources  are  not  available  to  revise  non- interim 
migratory  financial  systame,  and  alraady  constrained 
personnel  resources  make  extensive  manual  operations  cost 
prohibit ivs.  Interim  migratory  systsms  selsction  criteria 
requiree  integrated  data  baaee,  and  efforts  are  in  process 
to  ensure  integration  of  our  interim  financial  systems  with 
ths  Joint  Logistics  Systems  Center  standard  logistics  system 
development  efforts,  A  full  integration  of  the  standard 
finance  and  logistice  systems  will  eliminate  the  need  for 
Inventory  and  financial  record  reconciliations.  In  the 
interim,  DFAS  will  make  every  effort  to  minimize  these  type 
of  imbelancee  pending  interim  migratory  systems  selection, 
their  integration  with  logistics  systems,  and  implamentation 
at  DFAS  support  sitss. 
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Defense  Finance  and  Accounting  Service  Comments 


Draft  Raport 

APPLZGATIOM  CCWTROLS  OVER  SELECTED  PORTIONS  OF 
THE  STANDARD  ARMY  INTERKIDIATB  LEVEL  SUPPLY  SY8TEK 
PROJECT  CODE  3FC-2020 

Wa  rccoaMiid  that  tho  Director,  Defense 
Finance  and  Accounting  Service  •  Indianapolis  Center, 
disc lose  any  aeterial  discrepancies  in  inventory  balances 
between  the  Standard  Amy  Financial  Inventory  Accounting  and 
Reporting  Syetee  end  the  standard  Amy  Zntemediate  Level 
Sumly  Systen  in  e  footnote  to  the  financial  statesente  of 
the  Arny  Defense  iueiness  Operations  Fund  Supply  Managsnent 
Bttsinsss  Area. 

DPAS  Reaaonse!  Concur  in  principle.  As  noted  for 
reoo—endetion  A.I.,  the  ayeteas  audited  ere  older  ayatems 
not  expaoted  to  beoona  an  Intaris  migratory  eyatem  DFAS  will 
usa  to  support  the  DBOF.  Bassd  upon  prior  audits,  systsms 
changs  regueats  have  been  initiated,  for  some  time,  to 
accumulate  this  data  in  financial  syatams.  Competing 
priorities,  however,  have  prevented  their  completion.  In 
order  to  eooiimulate  and  raport  the  infomatlon  necessary  to 
produce  footnotes  to  financial  atatmaente  %rould  raguira  an 
added  menuel  function.  Also,  the  net  aggregated  amount  of 
differenoee  between  the  standard  Amy  Financial  inventory 
Accounting  and  Raterting  Syatam  and  the  Standard  Amy 
InterRsdiete  Level  supply  System  inventory  balances  does  not 
axceed  the  three  percent  materiality  threshold  used  by  the 
Oenerel  Accounting  Office  in  their  audit  manual  for  material 
footnote  dieoloeulree. 

n.3*  We  recommend  that  the  Director,  Defense 
Finance  end  Aocxiunting  Service  -  Indianapolis  center, 
diecloee,  in  e  footnote  to  the  Amy  Supply  Management 
flnenoiaX  etatemente,  tha  total  inventorias  paid  in  transit 
that  era  more  then  SO  days  old,  if  the  amounts  are 
ooneidered  material. 

DPJLS  tteeponset  Concur  in  principle.  As  noted  for  prior 
reemsaewdations,  the  age  of  the  euwport  syeteme,  their 
anticipated  replacement,  and  constrained  reaources  prevent  a 
coat  effective  manual  data  accumulation  process.  As  for  the 
inventory  diffemnoee,  the  amount  of  Inventory  in  transit 
for  DROr  did  not  exceed  the  three  percent  materiality 
threshold  used  by  the  General  Acceuntlng  Office  in  their 
audit  menuel  for  material  footnote  diecloeuma. 
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Defense  Finance  and  Accounting  Serrice  Conunents 


Draft  Report 

APPLICATION  CONTROLS  OVER  SELECTED  PORTIONS  OF 
THE  STANDARD  ARMY  INTERMEDIATE  LEVEL  SUPPLY  SYSTEM 
PROJECT  CODE  3PG-2020 


•  R^ccunnendatlon  C.2!  We  recowmend  that  the  Director,  Defense 
Finance  and  Accounting  Service  -  Indianapolis  Center, 
develop  procedures  zmd  controls  for  its  software  development 
staff  to  verify  the  adequacy  of  documentation  of  all 
software  test  plans  and  testing  results  for  its  Standard 
Amy  Financial  inventory  Accounting  and  Reporting  System. 

e  DPAS  Response:  Concur.  Current  DFAS  guidance  provides  the 
procedures  and  controls  recomnended •  All  future  tests  will 
be  the  subject  of  fonwl  test  plans  formulated  in  compliancs 
with  the  DFAS  guidance.  All  such  plans,  and  their  results 
will  be  maintained  for  audit.  The  functional  proponent  for 
the  Standard  Army  Financial  Inventory  Accounting  and 
Reporting  System  does  have,  on  file,  written  verification 
that  the  16  "interim**  change  packages  rsf erred  to  in  the 
audit  report  were  tested  and  validated  by  users  of  the 
eystem.  "Interim"  change  packages  are  operationally 
validated  ae  follows: 

a.  A  version  description  of  the  corrective  action  in  the 
change  package  ie  sent  to  the  test  alte- 

b.  The  code  for  the  "interim"  change  is  sent  to  a 
production  user,  who  tests  the  changes. 

c.  The  "lead  site"  tests  the  change  and  informs  the 
proponent  of  the  results* 

d.  Depending  upon  the  test  results,  the  change  package  is 
either  revised  to  correct  any  deficiencies  or  released 
for  implementation  by  all  users. 

Action  is  considered  complete. 
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U.S.  Army  Mormatioii  Systems  Software  Development  Center  -  Washington 

Comments 


OCPANTMCNT  OP  THE  ARMY 

Vt  A«MY  nnOBMATICMI  tTtmtt  aonWAM  DIVtUOnnHT  CIKTt»>WAJKDIGTOM 
romr  MLvon,  vimGiictA  naae  nw  « 


ASQB-IWC 


L  Saptanbcr  1994 


MEMORANDUM  FOR  Department  of  Defense  Inspector  General,  400  Army 
Navy  Drive,  Arlington/  Virginia  22202-2884 

SUBJECT:  DRAFT  Audit  report  on  implication  Controls  Over  Selected 

Portions  for  the  Standard  Army  Intermediate  Iievel  Supply 
System  (Project  No. 3 PO- 2 020) 


X.  SDC-W  reviewed  the  subject  audit  report  and  our  comments 
concerning  the  findings  and  recommendations  are  in  enclosure  1. 

2.  We  will  continue  to  aggressively  pursue  all  corrective  actions 
until  they  are  all  completed. 

3.  Findings  have  been  coordinated  through  the  ISC  Command  Group 
and  the  Office  of  Inspector  General. 

4.  Pleaee  direct  questions  regarding  planned  actions  for  SDC-W,  to 
Mr.  Edward  Salseda,  D6N  235-9933. 


Enclosure 

as 
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U.S.  Army  Information  Systems  Software  Deyelopment  Center  -  Washington 
Comments 


SOFTWARE  DEVELOPMENT  CENTER  -  WASHINGTON  COMMENTS 


Finding  C.  AcceaB  Control*  and  Software  Development  Procedures. 

Recommendation  la:  Provide  additional  security  training  to  the 
Washington  Development  center  Information  system  Security  Officer 
incudes  training  on  the  Access  Control  FaciXity-2  (ACF2)  security 
software . 

Position:  Concur 

Planned  action:  Training  request  for  ACF2  training  has  been 
submitted  to  SDC-W  training  coordinator  and  other  addition  computer 
security  will  also  be  re<^e8ted 

Recommendation  lb:  Limit  access  to  software  libraries  for  the 
Standard  Army  Intermediate  Level  Supply  system  and  the  Standard 
Army  Financial  Inventory  Account  and  Reporting  System  to  personnel 
whose  duties  require  such  access  in  a  manner  that  would  provide 
adequate  separation  of  duties. 

Position:  Concur 

Planned  action:  Evaluating  users  requirements  for  continued  access 
to  the  SAILS  (ALS)  and  STARPIARS  (ALF)  systems  using  the  SIC 
proponent  codes  used  in  the  AJCP2  to  protect  software  libraries. 
Coordinate  with  the  Terminal  Area  Security  Officer  (TASOs)  to 
eliminate  future  unauthorized  access. 

Recommendation  Ic:  Limit  access  to  the  Access  Control  Facility  2 
security  software  to  those  personnel  that  have  computer  security 
responsibilities . 

Position:  Concur 

Action  taken:  The  System  programmers  given  special  access  to  the 
ACF2  system  during  the  transfer  of  computer  fiinction  have  had  their 
access  returned  to  normal  system  programmer  access.  The  quality 
assurance  application  programnsrs  have  had  their  access  limited. 
This  was  completed  in  July  94 

Recommendation  Id:  Review  prior  access  to  the  Standard  Amy 
Intermediate  level  Supply  System  and  the  Standard  Army  Financial 
Inventory  Accounting  and  Reporting  System  production  libraries  and 
the  Access  Control  Facility-a  to  determine  If  any  Improper  access 
to  these  systems  have  been  made  and  to  determine  the  effects  of  the 
unauthorized  access  on  the  integrity  of  the  system. 

Position:  Concur 

Actions  taken:  The  SDC-W  ISS0/ACF2  administrator  made  a  review  of 
the  systems  SYS2  production  libraries  for  xinusual  data  set  record 
updates  in  July  94. 
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U.S.  Aimy  Infomuition  Systems  Software  Development  Center  -  Washington 

Cmnments 


Planned  action:  Continued  reviewing  the  daily  ACF2  report  for 
Invalid  paaaword  and  authority  log  and  the  dataset  access  journal 
logging  record#  in  this  report.  No  report  of  unauthorized  access 
or  coBqpromlse  of  Integrity  has  been  noted. 

Recommendation  le:  Activate  the  security  logging  feature  of  the 
ACF2  security  software  and  require  its  security  officer  to  review 
the  log  for  atteirqpts  at  improper  access  to  the  system  and  usage  of 
sensitive  files. 

Posit ion :  Concur 

Planned  action:  Daily  ACF2  security  report  with  the  password  and 
authority  log  is  currently  in  place  and  reviewed  daily  by  SDC-W 
ISS0/AJCF2  administrator. 

Recommendation  If:  Verify  that  a  Terminal  Area  Security  Officer 
has  been  appointed  at  the  Systems  Design  Center  at  Port  Lee  as 
required  by  Army  Regulation  380-19,  Information  Systems  Security, 
August  1,  1990. 

Position:  Concur 

Action  taken:  Appointment  made  by  Chief  of  Plans  and  Operations, 
SDC-L,  CPT  Ward  Mason,  29  Aug  94. 
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